Exam 350-401 topic 1 question 259 discussion

gentlemen, here some helping thoughts. aaa new-model invalidates the previous configuration aaa authentication login <name OR default> group <Radius or TACACS> <fall back mechanisms such as NONE> DO NOT be confused by VTY or TELNET in the AAA Authentication List name which is just a name and lists the options to the right of it. the requirements of TACACS and NO PASSWORD -> always watch out that you have the NO PASSWORD = NONE keyword at the end of the line. next is the question about LOGIN to LOGIN only you dont need a LINE VTY LOGIN AUTHENTICATION LOCAL or PASSWORD XZY as these would be only required if you wanted to ellevate your default priv-level from 1 to a higher number (in this case 15) HTH

When aaa is enabled the default authentication list is automatically applied on all Console and VTY lines; unless a named list is explicitly defined on that given line. For named lists to be effective, they must be explicitly configured on the desired console and VTY line. In option A, the named list is ineffective, why? because we should explicitly configure it on the VTY lines (0-4) using the 'login authentication telnet' command under VTY line config - "telnet" is the aaa_list_name Therefore, the answer is D.

I'm pretty sure the answer is D. The aaa auth line is OK, it uses default autentication list with tacacs and for fallback method none. aaa new-model overdides password line form vty section so we can ignore it.

Guys, I did not see any correct answers from provided choices, if you use "none" keyword in the end you fail to connect after tacacs failure: cisco_R3(config-line)#do s runn | s aaa aaa new-model aaa authentication login test_0 group tacacs+ none aaa session-id common cisco_R3(config-line)# cisco_R3(config-line)#do s runn | s vty 0 4 line vty 0 4 exec-timeout 30 0 password 7 06030B logging synchronous login authentication test_0 transport input telnet cisco_R3(config-line)#

transport input method should be defined under line vty line vty 0 4 password 7 02050D480809 transport input telnet R9#sh run | sec aaa aaa new-model aaa authentication login default group tacacs+ none aaa session-id common R7#telnet 155.1.79.9 Trying 155.1.79.9 ... Open R9>

my mistake. If you use "default" group nothing needs to be added to vty line. Correct is C

question seem to be incorrect. to use aaa on vty you need a command "login authentication <aaa group name>". If only password is configured it will prompt for username

D is correct answer

I'm a bit confused on this one. Shouldn't the answer be A? The question says 'If TACACS is unavailable, login is allowed without any provided credentials' Answer D has a password configured on the VTY line - doesn't this mean you'd need to provide credentials to log in, meaning D is incorrect? A is the same as D but doesn't have a password configured, so shouldn't the answer then be A?